b'              U.S. DEPARTMENT OF THE INTERIOR\n\n               OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                EVALUATION REPORT\n\n\n\n\nINFORMATION SYSTEM SECURITY OVER SYSTEMS AND APPLICATIONS\nUSED BY THE NATIONAL BUSINESS CENTER TO PROVIDE SERVICES TO\n          NON-DEPARTMENT OF THE INTERIOR CLIENTS\n\n\n\n\nNo. A-EV-0SS-0094-2004                     August 2004\n\x0c\x0c                United States Department of the Interior\n\n                                   Office of Inspector General\n                                     National Information Systems Office\n                                      134 Union Boulevard, Suite 510\n                                         Lakewood, Colorado 80228\n\n\n                                                                                  August 23, 2004\nMemorandum\n\nTo:         Director, National Business Center\n\nFrom:       Diann Sandy\n            Manager, National Information Systems Office\n\nSubject:    Review of Information System Security over Systems and Applications Used\n            by the National Business Center to Provide Services to Non-Department of\n            the Interior Clients (Report No. A-EV-OSS-0094-2004)\n\nWe performed the subject review based on inquiries from other Inspector General offices\nabout the security over systems and applications used by the National Business Center\n(NBC) to provide services, such as payroll processing, to their respective agencies.1 The\npurpose of our review was to assess NBC\xe2\x80\x99s information security management program\nand practices over these client-oriented systems and applications.\n\nWe discussed the results of our review with representatives of NBC. The officials\ngenerally agreed with our report and commented on certain report findings. We modified\nthe report as appropriate based on the comments.\n\nBACKGROUND\nInformation on NBC and the Department of the Interior\xe2\x80\x99s (DOI) security program are\ndescribed below.\n\nNATIONAL                    In 2000, under the Assistant Secretary for Policy, Management\nBUSINESS CENTER             and Budget, NBC was created to centralize the operations and\n                            maintenance of DOI-wide administrative systems. NBC serves\n                            as the systems manager and general purpose computing host\n                            (using servers at its Denver, Colorado, and Reston, Virginia,\n                            data centers) for systems supporting budget, procurement and\n                            contracts, personnel management, financial and accounting, E-\n                            government, and other general administrative systems. In this\n\n      1\n     The Federal Information Security Management Act of 2002 (FISMA) requires Inspectors General to\nevaluate their agency security program \xe2\x80\x9cincluding information systems operated by a contractor of an\nagency or other organization on behalf of an agency.\xe2\x80\x9d\n\x0c                             capacity, NBC provides services related to such automated\n                             systems as the Federal Personnel and Payroll System (FPPS);\n                             Federal Financial System (FFS); Fixed Assets and Inventory\n                             Subsystems; Interior Department Electronic Acquisition System\n                             (IDEAS); electronic commerce; electronic time and attendance\n                             system (Quicktime); mainframe time-sharing; and Internet\n                             publishing. NBC also provides specialized services such as\n                             quarters\xe2\x80\x99 management and employee drug testing. NBC\n                             provides its systems and services to DOI and other Federal\n                             organizations on a full cost-recovery basis.\n\n                             NBC\xe2\x80\x99s services are provided through negotiated Inter-Agency\n                             Agreements (IAA). Regarding IT system operations, overall\n                             agreements are supposed to include:\n\n                            \xc2\x99 Service Level Agreements \xe2\x80\x93 defines specific tasks to be\n                              performed and roles and responsibilities of the respective\n                              parties.\n\n                            \xc2\x99 Security Service Agreements \xe2\x80\x93 defines security roles and\n                              responsibilities of the respective parties.\n\n                            \xc2\x99 Interconnect Security Agreements \xe2\x80\x93 defines the roles and\n                              responsibilities for client network management in\n                              connecting to NBC systems and applications.\n\nDOI SECURITY                The Chief Information Officer (CIO) for DOI is responsible for\nPROGRAM                     providing policy, guidance, advice, and oversight for\n                            information technology (IT) security. DOI\xe2\x80\x99s information\n                            security program is based on Office of Management and Budget\n                            policies, National Institute of Standards and Technology (NIST)\n                            standards and guidelines, and DOI policy established in the\n                            Departmental directives.\n\n                            The DOI CIO reviewed the information security programs of\n                            DOI components and established an automated DOI Computer\n                            Incident Reporting Center (DOI CIRC) for internally reporting\n                            and tracking computer incidents and for externally reporting\n                            incidents to the Federal information security incident center.2      TP   PT\n\n\n\n\n                            Additionally, DOI implemented a Command Center to track and\n                            monitor certification and accreditation of DOI components\xe2\x80\x99\n\n    2\n    TPFISMA requires agencies to notify and consult with the Federal information security center of\n         PT\n\n\n\n\ncomputer security incidents. At the issuance of FISMA the reporting agency was the Federal Computer\nIncident Response Center. Effective March 2004, under the Department of Homeland Security, the\nreporting agency is the U.S. Computer Emergency Readiness Team (US-CERT).\n\n\n                                                                                                           2\n\x0c                             general support systems and major applications (herein after\n                             referred to as system or systems).\n\n                             To further aid in improving DOI\xe2\x80\x99s information security\n                             management program, the Chief Information Security Officer\n                             established an Information Technology Security Team\n                             comprised of information technology security managers from all\n                             the DOI components. Components also report monthly to the\n                             DOI CIO on security improvements and on the status of the\n                             certifications and accreditations completed for each system\n                             under their control.\n\nSCOPE AND                    To complete our review we: reviewed documentation\n                             supporting certifications and accreditations completed in fiscal\nMETHODOLOGY                  year 2004 (as of July 30, 2004) for 8 systems; tested selected\n                             controls at the data centers; interviewed NBC management and\n                             staff; judgmentally selected and examined 15 of about 200\n                             agreements between NBC and external clients. The 15\n                             agreements selected were those of clients that used more than 1\n                             NBC system. In addition, we analyzed information on system\n                             certification and accreditation which NBC reported monthly to\n                             the DOI CIO and DOI senior management.\n\n                             The systems reviewed were:\n\n                                 \xc2\x99 Denver Data Center Enclave General Support System\n                                   (DDC) and supported applications:\n\n                                     \xc2\x8b   Federal Financial System (FFS) \xe2\x80\x93 major application\n                                     \xc2\x8b   Federal Personnel and Payroll System (FPPS)3 \xe2\x80\x93       TP   PT\n\n\n\n\n                                         major application\n                                     \xc2\x8b   Quarters Management Information System (QMIS) \xe2\x80\x93\n                                         major application\n                                     \xc2\x8b   Oracle Federal Financials4    TP   PT\n\n\n\n\n    3\n    TPFPPS includes Web FPPS, a Web-based front end for access to FPPS, and Quicktime, an electronic\n         PT\n\n\n\n\ntime and attendance system.\n    4\n    TPOracle Federal Financials and Momentum are not used by DOI; therefore, are not considered major\n         PT\n\n\n\n\napplications. NBC has drafted system security plans for these applications.\n\n                                                                                                        3\n\x0c                                   \xc2\x99 Reston Local Area Network General Support System\n                                     (Reston-LAN) and supported applications:\n\n                                        \xc2\x8b   Interior Department Electronic Acquisition System\n                                            (IDEAS)5 \xe2\x80\x93 major application (databases are housed\n                                                       TP   PT\n\n\n\n\n                                            within the DDC and Reston-LAN general support\n                                            systems)\n\n                                        \xc2\x8b   Momentum Financial and Acquisition4            P   P\n\n\n\n\n                                   \xc2\x99 Interagency Aviation Services Local Area Network\n                                     (IAS-LAN) General Support System and supported\n                                     applications:\n\n                                        \xc2\x8b   Automatic Flight Following (AFF)\n                                        \xc2\x8b   Federal Aviation Resources System (FARS)\n                                        \xc2\x8b   SAFECOM\n                                        \xc2\x8b   SAFENET\n                                        \xc2\x8b   Interagency Aviation Training (IAT)\n                                        \xc2\x8b   Aviation Management Information Resource System\n                                            (AMIRS)\n\n                                    \xc2\x99 Drug Testing System \xe2\x80\x93 major application\n\n                              Our review was conducted in accordance with the Quality\n                              Standards for Inspections issued by the President\xe2\x80\x99s Council on\n                              Integrity and Efficiency.\n\nRESULTS OF REVIEW\nWith minor exceptions, we concluded that NBC\xe2\x80\x99s information security management\nprogram and practices met FISMA requirements. Our findings are described below.\nAlso, the Appendix identifies the state of security processes which each system has\nundergone to meet FISMA requirements, as of July 30, 2004.\n\nASSESSING AND                    Controls: DOI and NBC policies and procedures require\nMANAGING RISK AND                risks be assessed every 3 years or whenever significant\n                                 changes to the information system environment occurs.\nDETERMINING THE\n                                 Further, as part of implementing FISMA, DOI has specified\nAPPROPRIATE                      processes to identify risks, implement security protections\nINFORMATION                      commensurate with mitigating the risks to an acceptable\nSECURITY LEVEL                   level, and identify system security levels as part of system\n\n    5\n    TPIDEAS comprises several applications including IDEAS-PD and IDEAS-EC. Non-DOI clients\n         PT\n\n\n\n\nprimarily use IDEAS-PD and can use IDEAS-EC, however clients must have IDEAS-PD before they can\nuse IDEAS-EC. Clients can implement IDEAS-PD in several ways, including using DOI as a service\norganization that hosts the computing platform for the application and the related database or installing the\napplication software and operating it in the clients\xe2\x80\x99 computing environment.\n\n                                                                                                            4\n\x0c                                 certification and accreditation. DOI\xe2\x80\x99s process for identifying\n                                 the system security levels is based on NIST Federal\n                                 Information Processing Standards (FIPS) Publication 199,\n                                 \xe2\x80\x9cStandards for Security Categorization of Federal Information\n                                 and Information Systems.\xe2\x80\x9d6 These processes for identifying\n                                                                 TP   PT\n\n\n\n\n                                 risk and determining security levels include conducting:\n\n                                     \xc2\x99 Assessments of privacy impact based on the\n                                       information collected, stored, and processed by the\n                                       systems.\n\n                                     \xc2\x99 Assessments of technical vulnerabilities to test\n                                       technical controls of the \xe2\x80\x9cas built\xe2\x80\x9d system.\n\n                                     \xc2\x99 Evaluations of the asset and information to determine\n                                       the overall importance of the system, the services the\n                                       system provides, importance and sensitivity of the\n                                       data, and the costs of the resources to operate and\n                                       maintain the system. Based on the reviews, systems\n                                       are categorized between high risk systems, such as\n                                       National critical infrastructure information systems,\n                                       financial systems, or wide area network systems;\n                                       mission critical or business essential systems; or other\n                                       sensitive but unclassified systems.\n\n                                     \xc2\x99 Reviews of the 17 key control areas identified by\n                                       NIST Special Publication 800-26, \xe2\x80\x9cSelf Assessment\n                                       of Information Technology Security Controls\xe2\x80\x9d 7 and        TP   PT\n\n\n\n\n                                       through DOI\xe2\x80\x99s 800-26 based questionnaire.\n\n                                     \xc2\x99 Risk assessments based on NIST Special Publication\n                                       800-30 \xe2\x80\x9cConducting Risk Assessments for Federal\n                                       Information Systems.\xe2\x80\x9d8              TP   PT\n\n\n\n\n                                 Additionally, the Departmental Manual requires component-\n                                 level IT security managers to certify and document system\n                                 interconnections and information sharing arrangements to\n\n\n    6\n    TP FIPS Publication 199 establishes the standards for categorizing information and information systems\n         PT\n\n\n\n\nand establishes a common framework for Federal agencies in expressing adequate security and\neffectiveness of information security policy, procedures, and practices.\n     7\n    TP NIST Special Publication 800-26 provides an agency with a methodology to determine the current\n         PT\n\n\n\n\nstatus of its information security program and provides a target for improvement. The assessment\nquestionnaire is based on 5 levels of security and 17 control areas. The results can produce a reliable\nmeasure of security effectiveness.\n     8\n    TP NIST Special Publication 800-30 provides the foundation for developing an effective risk\n         PT\n\n\n\n\nmanagement program. The assessment allows management to make well-informed risk management\ndecisions to justify IT expenditures and to determine whether an IT system should be accredited.\n\n                                                                                                           5\n\x0c                                assure that inherited risks from other organizations are\n                                understood and managed.\n\n                                Finding: NBC had identified the level of risk for the eight\n                                systems reviewed. However, some of these systems were not\n                                subject to a risk assessment or had not been re-assessed\n                                within a 3-year timeframe. For two of the systems (IAS-LAN\n                                and the Drug Testing System) no assessments of risk were\n                                conducted and for the remaining six systems, risk\n                                assessments had been completed, but the assessments were\n                                not conducted utilizing NIST Special Publication 800-30\n                                guidance. NBC performed security tests and evaluations\n                                (ST&E)9 of seven of the eight systems during fiscal year\n                                2004. The ST&Es examined the risk assessments and\n                                reported them as insufficient. In addition, risk assessments of\n                                FFS and FPPS were performed over 3 years ago. NBC has\n                                reported these weaknesses in its Plan of Action and Milestone\n                                (POA&M) report.\n\n                                The Drug Testing System is owned, managed, and operated\n                                by a contractor on behalf of DOI. Although NBC conducted\n                                some form of assessment of this system and identified the risk\n                                level as \xe2\x80\x9clow,\xe2\x80\x9d we do not agree with the risk level assigned.\n                                NBC had not conducted a privacy impact assessment or risk\n                                assessment of this system to support its decision. NBC\xe2\x80\x99s self\n                                assessment of the system identified that the system contains\n                                Privacy Act information and sensitive information (results of\n                                employee drug tests); therefore, we believe the security level\n                                should be higher.\n\n                                IAS-LAN is located in a contractor facility and operated by\n                                NBC staff and was evaluated during fiscal year 2004.\n                                However, we found that two agreements for acquiring IAS-\n                                LAN services did not clearly articulate the types of services\n                                provided, the applications to be used by the client, and each\n                                party\xe2\x80\x99s roles and responsibilities for securing information.\n\n                                The ST&E process also identified that NBC did not ensure\n                                that all inter-agency agreements included the information\n                                needed to ensure that risks were fully understood and\n                                protections were in place to reduce the risks to an acceptable\n                                level. To address this problem, NBC developed Security\n                                Service Agreements and Interconnect Security Agreements\n\n    9\n     Security test and evaluation (ST&E) is a process to identify security weaknesses or vulnerabilities.\nDOI requires an ST&E for each system as part of the certification and accreditation process. DOI\xe2\x80\x99s ST&E\nmethodology is based on NIST Special Publication 800-37, \xe2\x80\x9cGuide for the Security Certification and\nAccreditation of Federal Information Systems.\xe2\x80\x9d\n\n                                                                                                        6\n\x0c                                  that are to be included as part of the overall agreements.\n                                  However, only 1 of the 15 agreements we reviewed had a\n                                  Security Service Agreement, and none had Interconnect\n                                  Security Agreements. NBC reported in its POA&M that the\n                                  Security Service and Interconnect Security Agreements will\n                                  be incorporated by December 2005 as part of all applicable\n                                  inter-agency agreements.\n\n                                  To ensure that risks are understood and security protections\n                                  are established to reduce the risks to acceptable levels, we\n                                  believe that an exchange of system security plans between\n                                  NBC and its clients should be accomplished. This exchange\n                                  will provide each party the necessary information to\n                                  understand the level of importance each party assigns to the\n                                  sensitivity and criticality of the systems and information as\n                                  well as describing the respective control environments.\n                                  Through these exchanges NBC will have a better\n                                  understanding of the risks to its systems and external clients\xe2\x80\x99\n                                  requirements to ensure that appropriate protections are\n                                  implemented.\n\nPERIODICALLY                      Control: DOI\xe2\x80\x99s policy requires security controls and\nTESTING AND                       techniques to be tested and evaluated by DOI components\n                                  through conducting monthly vulnerability scans of internal\nEVALUATING\n                                  networks and annual self-assessments of controls based on\nINFORMATION                       DOI\xe2\x80\x99s self-assessment questionnaire. Additionally, as part of\nSECURITY CONTROLS                 the certification and accreditation process, systems\xe2\x80\x99 controls\nAND TECHNIQUES                    are evaluated.\n\n                                  Finding: All eight systems reviewed had undergone DOI\xe2\x80\x99s\n                                  self-assessment evaluation during fiscal year 2004. Also,\n                                  FFS, FPPS, and Momentum are reviewed annually under\n                                  Statement on Auditing Standards 70,10 established by the\n                                  American Institute of Certified Public Accountants. Controls\n                                  over DOI\xe2\x80\x99s administrative systems (FFS, FPPS, and IDEAS)\n                                  and the hosting general support systems are tested and\n                                  evaluated as part of DOI\xe2\x80\x99s annual financial statement audits.\n                                  Testing under the financial statement audits has not, at this\n                                  time, identified any significant weaknesses in security of FFS,\n                                  FPPS, and the supporting DDC general support system.\n\n\n\n    10\n       Statement on Auditing Standard 70, \xe2\x80\x9cReports on the Processing of Transactions by Service\nOrganizations,\xe2\x80\x9d includes EDP service centers that process transactions and data for others. The Standard\nprovides guidance on the factors an independent auditor must consider when auditing the financial\nstatements of an entity that uses a service organization. The review identifies control objectives, controls\nestablished to meet the objectives, and tests of the controls to determine whether they are operating\neffectively.\n\n                                                                                                               7\n\x0c                    During fiscal year 2004 (as of July 30, 2004), NBC conducted\n                    limited technical vulnerability assessments of two systems,\n                    QMIS and IAS-LAN. Of the remaining six systems, all but\n                    the Drug Testing System, which had not had a technical\n                    vulnerability assessment, had limited technical vulnerability\n                    assessments performed during fiscal year 2003.\n\n                    Additionally, as part of the certification and accreditation\n                    process, NBC conducted ST&Es on seven of the eight\n                    systems. We reviewed the ST&E methodology and scope for\n                    each system evaluated and concluded the ST&E process was\n                    generally comprehensive, except for the evaluation of the\n                    Reston-LAN. In this evaluation, the facility that housed\n                    Momentum was excluded. We also generally agreed with the\n                    level of risk assigned to the weaknesses. We reviewed the\n                    ST&E results of 74 weaknesses or vulnerabilities and the\n                    related residual risk reports which identified security related\n                    risks of the weaknesses or vulnerabilities that may affect\n                    NBC operations. Of the ST&E and residual risk reports\n                    reviewed, FFS and the enterprise server component of DDC\n                    had no weaknesses and the remaining six systems had 74\n                    weaknesses of which 13 were considered high risk (IAS-\n                    LAN), 32 were considered medium risk, 22 were considered\n                    low risk, and 7 high-risk weaknesses were mitigated. NBC\n                    did include all of the other 67 weaknesses in its POA&M.\n\nMINIMALLY           Control: DOI has established security technology\nACCEPTABLE SYSTEM   implementation guidelines for configuration requirements of\n                    specific IT resources, such as UNIX operating system, and\nCONFIGURATION\n                    has also adopted certain NIST security configuration\nREQUIREMENTS        guidance, such as securing Windows XP.\n\n                    Finding: NBC has guidance regarding baseline and security\n                    configuration requirements for its servers. Additionally,\n                    NBC reported that additional security configuration\n                    requirements are needed and this condition is reported as a\n                    weakness in its POA&M report. Within six of the seven\n                    systems that had security plans, we found some identification\n                    of system security configurations, but the configurations were\n                    not necessarily consistent.\n\nSUBORDINATE         Control: DOI\xe2\x80\x99s policy requires each general support system\nPLANS               and major application have an individual system security plan\n                    that is based on NIST Special Publication 800-18, \xe2\x80\x9cGuide for\n\n\n\n\n                                                                                  8\n\x0c                                 Developing Security Plans for Information Technology\n                                 Systems.\xe2\x80\x9d11\n\n                                 Finding: All but one of the eight systems reviewed (Drug\n                                 Testing System) had a system security plan. However,\n                                 improvements are needed to most of the plans. The needed\n                                 improvements include: better description of the control\n                                 environment; assignment of security responsibility to\n                                 appropriate personnel rather than to the NBC IT security\n                                 manager or deputy or to individuals with other system\n                                 management duties; descriptions of applications being\n                                 supported by general support systems including external\n                                 clients; clarification between current controls and planned\n                                 controls; and identification of laws and regulations specific to\n                                 a system rather than general information security laws and\n                                 regulations such as FISMA. NBC reported these weaknesses\n                                 in its POA&M.\n\nINFORMATION                      Control: DOI specifies that security requirements be\nSECURITY                         included in information technology budget and investment\n                                 justification documents and that the DOI Office of the Chief\nMANAGEMENT\n                                 Information Security Officer verify that the documents\nINTEGRATED WITH                  contain security requirements. Additionally, DOI requires\nSTRATEGIC AND                    that resource requirements needed to correct identified\nOPERATIONAL                      weaknesses be included in POA&Ms.\nPLANNING\nPROCESSES                        Finding: Generally, NBC included estimated funding for all\n                                 planned corrective actions in the appropriate documents.\n                                 Further, the DOI CIO requires that as part of the certification\n                                 and accreditation process, POA&Ms be used for identifying,\n                                 prioritizing, managing, and tracking actions to correct\n                                 security weakness. NBC followed this process.\n\nTRAINING                         Control: DOI requires that all employees and contractors\nPERSONNEL IN                     complete annual online security awareness training.\n                                 Additionally, DOI instituted a tracking system to identify and\nSECURITY\n                                 report the numbers and percentages of employees who have\nRESPONSIBILITIES                 successfully completed the annual training. Further, NBC\xe2\x80\x99s\n                                 policy requires that all newly hired employees and contractors\n                                 successfully complete security training prior to obtaining\n                                 access to NBC systems and applications.\n\n\n\n    11\n       NIST Special Publication 800-18 identifies information to be included in a general support system\nand major application system security plan. This information includes a description of the system\xe2\x80\x99s\nsecurity requirements, controls in place or planned for meeting those requirements, and the protection of\ninformation resources. The security plan is also the foundation for system accreditation.\n\n                                                                                                            9\n\x0c                   Finding: As of June 2004, all NBC employees and\n                   contractors had successfully completed their annual security\n                   awareness training. In tests of systems and reviews of\n                   certification and accreditation documentation, we did not find\n                   any instances where new NBC staff and contractors were\n                   granted access to systems before completing the required\n                   training.\n\n                   NBC has established a process to monitor the completion of\n                   specialized security training, including security awareness\n                   training, for employees holding key IT positions, such as\n                   program managers and system owners. However, NBC does\n                   not have a process to monitor the completion of technical or\n                   specialized training to ensure that training is regularly\n                   completed by employees and contractors with IT security\n                   responsibilities. DOI IT staff who manage the security of\n                   systems are also encouraged to attain the Certified\n                   Information System Security Professional certification. The\n                   NBC IT security manager and five other NBC staff have\n                   attained this certification. Also, NBC IT Directorate\n                   management had attended specialized training related to their\n                   information security management responsibilities.\n\nINCIDENT           Control: DOI\xe2\x80\x99s incident reporting and handling policy and\nDETECTION AND      handbook requires components to develop specific incident\n                   reporting and handling policies and procedures and to\nREPORTING\n                   establish incident response teams. In addition, DOI has\n                   implemented an automated incident reporting system (DOI\n                   CIRC) and requires DOI components to report all incidents.\n                   Incidents reported to DOI CIRC are also reported to US-\n                   CERT. NBC also has policies and procedures for identifying,\n                   reporting, and handling computer security incidents and has a\n                   computer security incident response team. Further, NBC has\n                   rules of behavior that describe the process users of the\n                   systems should take in identifying and reporting incidents.\n                   Finally, all internal users are required to sign the rules of\n                   behavior prior to being granted access to NBC systems and\n                   applications.\n\n                   Finding: NBC is following its handbook and is reporting\n                   incidents to DOI CIRC which are automatically reported to\n                   US-CERT.\n\nREMEDIAL ACTIONS   Control: DOI policy requires that weakness identified\nTO ADDRESS         during any review be reported in POA&Ms. As part of the\n                   POA&M process, DOI requires components provide the DOI\nDEFICIENCIES\n                   CIO with quarterly updates on progress in completing and\n                   managing corrective actions for each weakness.\n                                                                               10\n\x0c                           Finding: NBC generally included weaknesses identified\n                           through Office of Inspector General audits and through\n                           NBC\xe2\x80\x99s system tests, evaluations, and self assessments in its\n                           POA&M.\n\nCONTINUITY OF              Control: DOI requires that continuity of operations plans be\nOPERATIONS                 developed for every system and that the plans be tested at\n                           least annually.\n\n                           Finding: NBC had business resumption plans and continuity\n                           of operations plans for six of the eight systems reviewed.\n                           However, contingency plans were not always updated based\n                           on tests of the plans and improvements were needed in\n                           documenting test results and applying lessons learned. We\n                           also noted that NBC\xe2\x80\x99s ST&E and self-assessment processes\n                           evaluated backup and recovery procedures and practices and\n                           identified only low-risk weaknesses.\n\nSECURITY                   Control: DOI\xe2\x80\x99s policy requires that every system include\nPRACTICED                  security as part of its life cycle management process. In\n                           addition, systems are required to be certified and accredited\nTHROUGHOUT LIFE\n                           and are re-certified and re-accredited every 3 years or\nCYCLE OF EACH              whenever significant changes occur.\nINFORMATION\nSYSTEM                     Finding: NBC generally followed DOI\xe2\x80\x99s certification and\n                           accreditation process. That is, NBC generally described the\n                           security life cycle management for each of the seven system\n                           security plans we reviewed. Further, through the various\n                           reviews and assessments, NBC demonstrated that security\n                           was being practiced for six of the systems and that needed\n                           security improvements were reported, tracked, and monitored\n                           through NBC\xe2\x80\x99s POA&M process.\n\nSUGGESTION FOR IMPROVEMENT\nTo improve its security program, we suggest that NBC obtain from its clients\xe2\x80\x99 the system\nsecurity plans for general support systems and major applications attributable to the\napplication services being provided. In addition, we suggest that NBC provide to its\nclients the system security plans of the applications and general support systems used.\n\n\n\n\n                                                                                           11\n\x0c                                                                                                                                                                                                          APPENDIX\n                                                                                   Department of the Interior\n                                                            National Business Center General Support Systems and Major Applications\n                                                                                    Used by non-DOI Clients\n                                                                                                                                                          System Test and\n                                                                                                                                                            Evaluation\n                                                                                         Limited or                                                                            Weaknesses in\n                                             Privacy   System     Self                   Technical                                Testing of                        Residual     Plans of\n                                    Asset    Impact   Security Assessment               Vulnerability        Risk    Contingency Contingency                         Risk       Actions and\n    System Name       Operated By Valuation Assessment Plan     (800-26)                 Assessment       Assessment    Plan        Plan                  Report    Report      Milestones   Certification Accreditation\nDenver Data Center\n                                     Sept.                     Sept.\nEnclave General           DOI                     Yes                    March 04        Sept. 03          June 01        April 04       March 04        June 04     June 04       Yes            June 04           June 04\n                                      03                        03\nSupport System\nApplications Housed by Denver Data Center\n  Federal Financial                  Sept.\n                          DOI                     Yes         Feb. 04    April 04        Sept. 03           July 00       April 04       March 04        June 04     July 04       Yes            July 04           July 04\n  System                              03\n  Federal Personnel\n                          DOI       July 04       Yes         July 04 March 04           Sept. 03          June 001       April 04        Aug. 04        June 04     July 04       Yes            July 04           July 04\n  and Payroll System\n  Quarters\n                                                               April\n  Management              DOI       June 04       Yes                    April 04        May 04             July 01       April 04       March 04         June04     July 04       Yes            July 04           July 04\n                                                                04\n  Information System\n  Oracle Federal\n                                           This application is not considered as a DOI major application, therefore, it was included as part of the Denver Data Center Enclave General Support System\n  Financial2\nReston Local Area\nNetwork General           DOI       May 04        Yes        May 04      April 04        Oct. 03           Sept. 03       Aug 03          Aug 03         June 04     June 04       Yes            June 04           June 04\nSupport System\nApplications Housed by Reston Local Area Network General Support System\n  Momentum2                                This application is not considered as a DOI major application, therefore, it was included as part of the Reston Local Area Network General Support System\n  Interior Department\n                                                               Mar.\n  Electronic              DOI       July 03       Yes                    March 04        July 03            Oct. 01       Aug. 03         Aug. 03        May 04      June 04       Yes            June 04           July 04\n                                                                04\n  Acquisition System\nDrug Testing System Contractor                                            May 04                                                                                                   Yes\nInteragency Aviation\nServices Local Area      DOI/                                  April\n                                    May 04        Yes                    April 04        April 04                                                        June 04     June 04       Yes            June 04           June 04\nNetwork General       Contractor                                04\nSupport System\nApplications Housed by Interagency Aviation Services Local Area Network\n  Automatic Flight\n  Following\n  System\n  Federal Aviation\n  Resources\n  System                             These applications are not considered by DOI as major applications, therefore, they were included as part of the Interagency Aviation Services Local Area Network\n  SAFECOM\n  SAFENET\n  Interagency\n  Aviation\n  Training System\n\n\n\n\n     1\n       An asset valuation, technical vulnerability assessment, and a self-assessment were completed in June 2003 of the Federal Personnel and Payroll System based on the Department\xe2\x80\x99s definition of an \xe2\x80\x9cinitial\xe2\x80\x9d risk\n assessment.\n     2\n       Oracle Federal Financial System and Momentum are used by non-DOI clients.\n                                                                                                                                                                                                                         12\n\x0c\x0c'